espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-03 02:20:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/allow_pre_programmed_efuse_pseudo_round_level_when_set_release_mode' into 'master'

Browse Source 
Allow pre-programmed XTS-AES psuedo round level efuses

See merge request espressif/esp-idf!42041
This commit is contained in:
Mahavir Jain
2025-09-30 11:09:43 +05:30
parent 729be4656b 6be7a17ce0
commit 343fd79462
6 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
components/bootloader/Kconfig.projbuild
View File

@@ -1106,8 +1106,9 @@ menu "Security features"
config SECURE_FLASH_PSEUDO_ROUND_FUNC config SECURE_FLASH_PSEUDO_ROUND_FUNC
bool "Permanently enable XTS-AES's pseudo rounds function" bool "Permanently enable XTS-AES's pseudo rounds function"
default y default y if SECURE_FLASH_ENCRYPTION_MODE_RELEASE
depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND default n
depends on SECURE_FLASH_ENC_ENABLED && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
help help
If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function. If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function.
Note: Enabling this config would burn an efuse. Note: Enabling this config would burn an efuse.

4
components/bootloader_support/include/esp_flash_encrypt.h
View File

@@ -215,6 +215,10 @@ bool esp_flash_encryption_cfg_verify_release_mode(void);
* It burns: * It burns:
* - "disable encrypt in dl mode" * - "disable encrypt in dl mode"
* - set FLASH_CRYPT_CNT efuse to max * - set FLASH_CRYPT_CNT efuse to max
*
* In case of the targets that support the XTS-AES peripheral's pseudo rounds function,
* this API would configure the pseudo rounds level efuse bit to level low if the efuse bit
* is not set already.
*/ */
void esp_flash_encryption_set_release_mode(void); void esp_flash_encryption_set_release_mode(void);

2
components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c
View File

@@ -44,7 +44,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND) #if CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC
ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function..."); ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH; uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);

2
components/bootloader_support/src/esp32c61/flash_encryption_secure_features.c
View File

@@ -40,7 +40,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND) #if CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC
ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function..."); ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH; uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);

2
components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c
View File

@@ -36,7 +36,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND) #if CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC
if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function..."); ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH; uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;

7
components/bootloader_support/src/flash_encrypt.c
View File

@@ -212,9 +212,14 @@ void esp_flash_encryption_set_release_mode(void)
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND #ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW; uint8_t xts_pseudo_level = 0;
esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
if (xts_pseudo_level == ESP_XTS_AES_PSEUDO_ROUNDS_DISABLE) {
xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
} }
}
#endif #endif
#ifdef CONFIG_IDF_TARGET_ESP32 #ifdef CONFIG_IDF_TARGET_ESP32